Traditional alphanumeric passwords suffer from a variety of limitations. One limitation relates to a user's ability to remember a strong password that is not easily guessed using automated and/or manual attack methodologies. For example, a long, random sequence of numbers, letters, and/or characters may be utilized to generate a strong password that is not easily guessed or otherwise ascertained. However, most users have difficulty remembering such a strong password and will either write it down (producing the possibility of the password being physically stolen or otherwise visually observed) or will choose a simpler (weak) password that is based upon information that is familiar to the user (such as significant dates, names, and/or dictionary words) or uses fewer and/or repetitive characters. While these weak passwords may be readily remembered, they also may be readily guessed, thereby increasing the likelihood that the weak password may be compromised.
These issues are compounded by the fact that most users have a large number of electronic accounts (such as personal email, personal network, work email, work network, bank accounts, brokerage accounts, credit card accounts, retail accounts, etc.) and that each of these electronic accounts may have its own respective password for access thereto. Thus, a user is presented with a dilemma. In the interest of being able to remember the respective passwords, the user might select the same password for several, or even all, electronic accounts. However, if this password is stolen or otherwise compromised, all of the electronic accounts that utilize this password may be compromised. Alternatively, the user might choose a different password for each electronic account (whether weak or strong); however, the user then must remember different passwords for all of these accounts.
In addition, and regardless of the strength of a selected password, malicious software exists that may be utilized to steal a password from a targeted user. For example, keystroke logging software may capture a sequence of keys that is entered by the user while logging in to an electronic resource, and an unauthorized individual may utilize these logged keystrokes to log into the electronic resource without the user's permission. Alternatively, and even if the password is entered securely by the user, it may be intercepted during transmission from the user to the electronic resource. For example, many selected passwords, regardless of their individual strength, are vulnerable to being compromised (i.e., stored, copied, or otherwise identified) during transmission from the user (client/user side) to the corresponding remote site (server/resource side).
Graphical, or graphic-based, passwords have been utilized to generate strong passwords that may be more readily remembered by the user. Illustrative, non-exclusive examples of graphical passwords, including methods for generating and/or utilizing such passwords, are disclosed in U.S. Pat. No. 8,181,029 and U.S. Patent Application Publication Nos. 2011/0040946 and 2011/0055585, the complete disclosures of which are hereby incorporated by reference. However, these graphic-based passwords still suffer from inherent limitations and/or still may be compromised and/or intercepted during transmission. Thus, there exists a need for improved systems and methods for secure electronic authentication.